921877aae0f0f9c36ad1292bf81321d9d8c9331b15942aef71c3e60b1f229da0

Analysis

max time kernel
94s
max time network
37s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a33d8b156dfd04d7fc01e001025a3c41.exe
Size

561.5MB
MD5

a33d8b156dfd04d7fc01e001025a3c41
SHA1

eb0f18a573e706dd99093373cf02c9fe7c452c6f
SHA256

921877aae0f0f9c36ad1292bf81321d9d8c9331b15942aef71c3e60b1f229da0
SHA512

8e25072a64840d03b0cca87a2d004032a472ad951c8759291b47f6f820d9b3b01b56930ae32cd2172cefa9a2608f7b91578ace0c8fa0bb9128162f827063e984
SSDEEP

1572864:fhiZsTBhI4sMdg5s0LPvf4DqjNlpESwBgh9pcf2frte7hWt1:fwOlS4xgu0LPvwDqjnpEhum2ReG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setupappprogram_v8.4.exe

pid process

2024 setupappprogram_v8.4.exe
Loads dropped DLL 1 IoCs

Processes:

a33d8b156dfd04d7fc01e001025a3c41.exe

pid process

1156 a33d8b156dfd04d7fc01e001025a3c41.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

276 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 276 powershell.exe

pid	process
2024	setupappprogram_v8.4.exe

pid	process
1156	a33d8b156dfd04d7fc01e001025a3c41.exe

pid	process
276	powershell.exe

description	pid	process
Token: SeDebugPrivilege	276	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a33d8b156dfd04d7fc01e001025a3c41.exesetupappprogram_v8.4.exe

description	pid	process	target process
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 1156 wrote to memory of 2024	1156	a33d8b156dfd04d7fc01e001025a3c41.exe	setupappprogram_v8.4.exe
PID 2024 wrote to memory of 276	2024	setupappprogram_v8.4.exe	powershell.exe
PID 2024 wrote to memory of 276	2024	setupappprogram_v8.4.exe	powershell.exe
PID 2024 wrote to memory of 276	2024	setupappprogram_v8.4.exe	powershell.exe
PID 2024 wrote to memory of 276	2024	setupappprogram_v8.4.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a33d8b156dfd04d7fc01e001025a3c41.exe
"C:\Users\Admin\AppData\Local\Temp\a33d8b156dfd04d7fc01e001025a3c41.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\setupappprogram_v8.4\setupappprogram_v8.4.exe
"C:\Users\Admin\AppData\Local\Temp\setupappprogram_v8.4\setupappprogram_v8.4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setupappprogram_v8.4\setupappprogram_v8.4.exe
Filesize
397.7MB

MD5
5246991a8749173aa82633ada40c6a23

SHA1
b4b883e99aad5afc27cb5c47466e80581bc850db

SHA256
90f9ebb1b5f6730ed99e3e90f7693c670d852b85b5d0d1c3f74134e7b659e885

SHA512
d2b8bb9496739613770d26f76e610a2f0eb70917e61c58495133b64c61908d4fd3c73f234b94538f7d83e0b3b0e86a37df4451af58f8f84c91b413610100d11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setupappprogram_v8.4\setupappprogram_v8.4.exe
Filesize
397.7MB

MD5
5246991a8749173aa82633ada40c6a23

SHA1
b4b883e99aad5afc27cb5c47466e80581bc850db

SHA256
90f9ebb1b5f6730ed99e3e90f7693c670d852b85b5d0d1c3f74134e7b659e885

SHA512
d2b8bb9496739613770d26f76e610a2f0eb70917e61c58495133b64c61908d4fd3c73f234b94538f7d83e0b3b0e86a37df4451af58f8f84c91b413610100d11d

Download Submit
\Users\Admin\AppData\Local\Temp\setupappprogram_v8.4\setupappprogram_v8.4.exe
Filesize
397.7MB

MD5
5246991a8749173aa82633ada40c6a23

SHA1
b4b883e99aad5afc27cb5c47466e80581bc850db

SHA256
90f9ebb1b5f6730ed99e3e90f7693c670d852b85b5d0d1c3f74134e7b659e885

SHA512
d2b8bb9496739613770d26f76e610a2f0eb70917e61c58495133b64c61908d4fd3c73f234b94538f7d83e0b3b0e86a37df4451af58f8f84c91b413610100d11d

Download Submit
memory/276-66-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/276-67-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2024-61-0x0000000001030000-0x00000000010F2000-memory.dmp

Filesize
776KB

Download
memory/2024-62-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/2024-63-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download